180 likes | 187 Views
Explore various techniques like dataflow analysis, pointer alias analysis, and abstract interpretation to improve source code security automatically. Focus on languages like PHP, C, Java, and C++.
E N D
Methods of increasing source code security automatically Ben ChelfCTO
10,000 foot view MAGIC STATIC ANALYSIS BOX dataflow analysis, pointer alias analysis, abstract interpretation, model checking, flow-sensitive, flow-insensitive, context-sensitive, context-insensitive, interprocedural, intraprocedural, solving constraints PHP Code Security Vulnerabilities C Code Java Code C++ Code Coverity Confidential: Do not distribute
What to look for? { strcpy(dest, src); } Coverity Confidential: Do not distribute
What to look for? { char src[100]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute
What to look for? { char src[50]; char dest[50]; strcpy(dest, src); } Coverity Confidential: Do not distribute
What to look for? { char src[50]; char dest[50]; src[sizeof(dest) – 1] = 0; strcpy(dest, src); } Coverity Confidential: Do not distribute
The Promise of Static Analysis Tools Software Development Process Design Code QA Release Integrate Static Analysis BENEFITS Detects problems early in SDLC No test cases required Points to specific LOC Systematic Bugs Security Vulnerabilities Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) • Jovanovic, Kuregel, Kirda (2006) Coverity Confidential: Do not distribute
Research techniques (not exhaustive) • Shankar, Talwar, Foster, Wagner (2001) • Ashcraft, Engler (2002) • Yang, Kremenek, Xie, Engler (2003) • Huang, Yu, Hang, Tsai, Lee (2004) • Livshits and Lam (2005) • Xie and Aiken (2006) • Jovanovic, Kuregel, Kirda (2006) • …many others Coverity Confidential: Do not distribute
Making it work in the real world Build Systems Parsing Code Analysis time Configuration for the code Noise versus False Positives What to report Reviewing the results PHP Code C Code Java Code C++ Code Coverity Confidential: Do not distribute
Evil Tetris /* * Set times to 0 except for * high score on each level. */ for (i = MINLEVEL; i < NLEVELS; i++) levelfound[i] = 0; for (i = 0, sp = scores; i < nscores; i++, sp++) { if (levelfound[sp->hs_level]) sp->hs_time = 0; else { sp->hs_time = 1; levelfound[sp->hs_level] = 1; } } Coverity Confidential: Do not distribute
Do you use X? if (getuid() != 0 && geteuid == 0) { ErrorF(“only root”); exit(1); } Since without the parentheses, the code is simply checking to see if the geteuid function in libc was loaded somewhere other than address 0 (which is pretty much guaranteed to be true), it was reporting it was safe to allow risky options for all users, and thus a security hole was born. - Alan Coopersmith, Sun Developer Coverity Confidential: Do not distribute